Watch it: Multiple DNS implementations
vulnerableto cachepoisoning
Randal, Phil
prandal at herefordshire.gov.uk
Thu Jul 10 13:20:42 IST 2008
query-source defines the IP address (IPv4 or IPv6) and optional port to
be used as the source for outgoing queries from the server.
The default is a random unprivileged port.
There may, of course, be over-zealous firewall rules (or SELinux
policies) which mistakenly insist that the source and destination ports
are both 53, but that's plain wrong.
And dangerous.
Cheers,
Phil
--
Phil Randal
Networks Engineer
Herefordshire Council
Hereford, UK
________________________________
From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Peter
Farrow
Sent: 10 July 2008 13:07
To: MailScanner discussion
Subject: Re: Watch it: Multiple DNS implementations vulnerableto
cachepoisoning
If you're running a public DNS server or a DNS server for your LAN
clients then these lines are an extremely good idea...
P.
Randal, Phil wrote:
Have you made sure that in named.conf there are no
query-source port 53;
query-source-v6 port 53;
lines?
Cheers,
Phil
--
Phil Randal
Networks Engineer
Herefordshire Council
Hereford, UK
-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of
Jason
Ede
Sent: 10 July 2008 11:15
To: MailScanner discussion
Subject: RE: Watch it: Multiple DNS implementations vulnerable
to
cachepoisoning
I've patched some servers and they're showing good, but on one
behind a
firewall its still showing as poor despite the update being
run... Its
running Centos5.1
Jason
-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-
bounces at lists.mailscanner.info] On Behalf Of shuttlebox
Sent: 10 July 2008 09:42
To: MailScanner discussion
Subject: Re: Watch it: Multiple DNS implementations
vulnerable to
cache poisoning
On Thu, Jul 10, 2008 at 3:54 AM, Ken A <ka at pacific.net>
<mailto:ka at pacific.net> wrote:
They are probably not random enough. You can
look at them with
netstat or
lsof -i
OK, it's the standard deviation that is key to the
result. Unique
ports but all in a row for example is of course not
good.
I have now patched one server and it shows GOOD with a
high std dev.
/peter
--
Robert Benchley - "Drawing on my fine command of the
English
language, I said nothing."
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read
http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the
website!
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
--
This message has been scanned for viruses and
dangerous content by the Inexcom <http://www.inexcom.co.uk/> system
scanner,
and is believed to be clean.
Advanced heuristic mail scanning server [-].
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080710/9ce2c728/attachment.html
More information about the MailScanner
mailing list